Notices

Following this note is a copy of the Notice of Privacy Practices which is required by the Health Insurance Portability and Accountability Act of 1996. Questions concerning this document and the rights of covered employees and dependents can be directed to the university’s HIPAA Privacy Officer at the Office of General Counsel in 356 University Hall or at (937) 775-2475.

Wright State University - Notice of Privacy Practices

This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) imposes numerous requirements concerning the use and disclosure of individual health information. This information, known as protected health information, includes virtually all individually identifiable health information held by Wright State University whether received in writing, in an electronic medium, or as an oral communication. This notice describes the privacy practices of the following:

All of the entities listed will share personal health information as necessary to carry out treatment, payment, and health care operations as permitted by law.

The entities covered by this notice may share health information with each other to carry out Treatment, Payment, or Health Care Operations. These entities are collectively referred to as the Entity in this notice, unless specified otherwise.

The Entity’s duties with respect to health information about you

The Entity is required by law to maintain the privacy of your health information and to provide you with this notice of the Entity’s legal duties and privacy practices with respect to your health information. If you participate in an insured plan option, you will receive a notice directly from the Insurer. It’s important to note that these rules apply to the Entity, not Wright State University as an employer—that’s the way the HIPAA rules work. Different policies may apply to other Wright State University programs or to data unrelated to the health Entity.

How the Entity may use or disclose your health information

The privacy rules generally allow the use and disclosure of your health information without your permission (known as an authorization) for purposes of health care Treatment, Payment activities, and Health Care Operations. Here are some examples of what that might entail:

Treatment includes providing, coordinating, or managing health care by one (1) or more health care providers or doctors. Treatment can also include coordination or management of care between a provider and a third party, and consultation and referrals between providers. For example, the Entity may share health information about you with physicians who are treating you.

Payment includes activities by this Entity, other health plans, or providers to obtain premiums, make coverage determinations and provide reimbursement for health care. This can include eligibility determinations, reviewing services for medical necessity or appropriateness, utilization management activities, claims management, and billing; as well as “behind the scenes” Entity functions such as risk adjustment, collection, or reinsurance. For example, the Entity may share information about your coverage or the expenses you have incurred with another health Entity in order to coordinate payment of benefits.

Health care operations include activities by this Entity (and in limited circumstances other plans or providers) such as wellness and risk assessment programs, quality assessment and improvement activities, customer service, and internal grievance resolution. Health care operations also include vendor evaluations, credentialing, training, accreditation activities, underwriting, premium rating, arranging for medical review and audit activities, and business planning and development. For example, the Entity may use information about your claims to review the effectiveness of wellness programs.

The amount of health information used or disclosed will be limited to the “Minimum Necessary” for these purposes, as defined under the HIPAA rules. The Entity may also contact you to provide appointment reminders or information about treatment alternatives or other health-related benefits and services that may be of interest to you.

How the Entity may share your health information with Wright State University

The Entity, or its health insurer or HMO, may disclose your health information without your written authorization to Wright State University for Entity administration purposes. Wright State University may need your health information to administer benefits under the Entity. Wright State University agrees not to use or disclose your health information other than as permitted or required by the Entity documents and by law.

Here’s how additional information may be shared between the Entity and Wright State University, as allowed under the HIPAA rules:

The Entity, or its Insurer or HMO, may disclose “summary health information” to Wright State University if requested, for purposes of obtaining premium bids to provide coverage under the Entity, or for modifying, amending, or terminating the Entity. Summary health information is information that summarizes participants’ claims information, but from which names and other identifying information have been removed.

The Entity, or its Insurer or HMO, may disclose to Wright State University information on whether an individual is participating in the Entity, or has enrolled or disenrolled in an insurance option or HMO offered by the Entity.

In addition, you should know that Wright State University cannot and will not use health information obtained from the Entity for any employment-related actions. However, health information collected by Wright State University from other sources, for example under the Family and Medical Leave Act, Americans with Disabilities Act, or workers’ compensation is not protected under HIPAA (although this type of information may be protected under other federal or state laws).

Other allowable uses or disclosures of your health information

In certain cases, your health information can be disclosed without authorization to a family member, close friend, or other person you identify who is involved in your care or payment for your care. Information describing your location, general condition, or death may be provided to a similar person (or to a public or private entity authorized to assist in disaster relief efforts). You’ll generally be given the chance to agree or object to these disclosures (although exceptions may be made, for example if you’re not present or if you’re incapacitated). In addition, your health information may be disclosed without authorization to your legal representative.

The Entity is also allowed to use or disclose your health information without your written authorization for the following activities:

Workers’ compensation: Disclosures to workers’ compensation or similar legal programs that provide benefits for work-related injuries or illness without regard to fault, as authorized by and necessary to comply with such laws

Necessary to prevent serious threat to health or safety: Disclosures made in the good-faith belief that releasing your health information is necessary to prevent or lessen a serious and imminent threat to public or personal health or safety, if made to someone reasonably able to prevent or lessen the threat (including disclosures to the target of the threat); includes disclosures to assist law enforcement officials in identifying or apprehending an individual because the individual has made a statement admitting participation in a violent crime that the Entity reasonably believes may have caused serious physical harm to a victim, or where it appears the individual has escaped from prison or from lawful custody

Public health activities: Disclosures authorized by law to persons who may be at risk of contracting or spreading a disease or condition; disclosures to public health authorities to prevent or control disease or report child abuse or neglect; and disclosures to the Food and Drug Administration to collect or report adverse events or product defects

Victims of abuse, neglect, or domestic violence: Disclosures to government authorities, including social services or protected services agencies authorized by law to receive reports of abuse, neglect, or domestic violence, as required by law or if you agree or the Entity believes that disclosure is necessary to prevent serious harm to you or potential victims (you’ll be notified of the Entity’s disclosure if informing you won’t put you at further risk)

Judicial and administrative proceedings: Disclosures in response to a court or administrative order, subpoena, discovery request, or other lawful process (the Entity may be required to notify you of the request, or receive satisfactory assurance from the party seeking your health information that efforts were made to notify you or to obtain a qualified protective order concerning the information)

Law enforcement purposes: Disclosures to law enforcement officials required by law or pursuant to legal process, or to identify a suspect, fugitive, witness, or missing person; disclosures about a crime victim if you agree or if disclosure is necessary for immediate law enforcement activity; disclosure about a death that may have resulted from criminal conduct; and disclosure to provide evidence of criminal conduct on the Entity’s premises

Decedents: Disclosures to a coroner or medical examiner to identify the deceased or determine cause of death; and to funeral directors to carry out their duties

Organ, eye, or tissue donation: Disclosures to organ procurement organizations or other entities to facilitate organ, eye, or tissue donation and transplantation after death

Research purposes: Disclosures subject to approval by institutional or private privacy review boards, and subject to certain assurances and representations by researchers regarding necessity of using your health information and treatment of the information during a research project

Health oversight activities: Disclosures to health agencies for activities authorized by law (audits, inspections, investigations, or licensing actions) for oversight of the health care system, government benefits programs for which health information is relevant to beneficiary eligibility, and compliance with regulatory programs or civil rights laws

Specialized government functions: Disclosures about individuals who are Armed Forces personnel or foreign military personnel under appropriate military command; disclosures to authorized federal officials for national security or intelligence activities; and disclosures to correctional facilities or custodial law enforcement officials about inmates

HHS investigations: Disclosures of your health information to the Department of Health and Human Services (HHS) to investigate or determine the Entity’s compliance with the HIPAA privacy rule

Except as described in this notice, other uses and disclosures will be made only with your written authorization. You may revoke your authorization as allowed under the HIPAA rules. However, you can’t revoke your authorization if the Entity has taken action relying on it. In other words, you can’t revoke your authorization with respect to disclosures the Entity has already made.

You have the following rights with respect to your health information the Entity maintains. These rights are subject to certain limitations, as discussed below. This section of the notice describes how you may exercise each individual right. See the table at the end of this notice for information on how to submit requests.

Right to request restrictions on certain uses and disclosures of your health information and the Entity’s right to refuse

You have the right to ask the Entity to restrict the use and disclosure of your health information for Treatment, Payment, or Health Care Operations, except for uses or disclosures required by law. You have the right to ask the Entity to restrict the use and disclosure of your health information to family members, close friends, or other persons you identify as being involved in your care or payment for your care. You also have the right to ask the Entity to restrict use and disclosure of health information to notify those persons of your location, general condition, or death — or to coordinate those efforts with entities assisting in disaster relief efforts. If you want to exercise this right, your request to the Entity must be in writing.

The Entity is not required to agree to a requested restriction. And if the Entity does agree, a restriction may later be terminated by your written request, by agreement between you and the Entity (including an oral agreement), or unilaterally by the Entity for health information created or received after you’re notified that the Entity has removed the restrictions. The Entity may also disclose health information about you if you need emergency treatment, even if the Entity has agreed to a restriction.

Right to receive confidential communications of your health information

If you think that disclosure of your health information by the usual means could endanger you in some way, the Entity will accommodate reasonable requests to receive communications of health information from the Entity by alternative means or at alternative locations.

If you want to exercise this right, your request to the Entity must be in writing, and you must include a statement that disclosure of all or part of the information could endanger you.

Right to inspect and copy your health information

With certain exceptions, you have the right to inspect or obtain a copy of your health information in a “Designated Record Set.” This may include medical and billing records maintained for a health care provider; enrollment, payment, claims adjudication, and case or medical management record systems maintained by a Entity; or a group of records the Entity uses to make decisions about individuals. However, you do not have a right to inspect or obtain copies of psychotherapy notes or information compiled for civil, criminal, or administrative proceedings. In addition, the Entity may deny your right to access, although in certain circumstances you may request a review of the denial.

If you want to exercise this right, your request to the Entity must be in writing. Within 30 days of receipt of your request (60 days if the health information is not accessible onsite), the Entity will provide you with:

The access or copies you requested;

A written denial that explains why your request was denied and any rights you may have to have the denial reviewed or file a complaint; or

A written statement that the time period for reviewing your request will be extended for no more than 30 more days, along with the reasons for the delay and the date by which the Entity expects to address your request.

The Entity may provide you with a summary or explanation of the information instead of access to or copies of your health information, if you agree in advance and pay any applicable fees. The Entity may also charge reasonable fees for copies or postage.

If the Entity doesn’t maintain the health information but knows where it is maintained, you will be informed of where to direct your request.

Right to amend your health information that is inaccurate or incomplete

With certain exceptions, you have a right to request that the Entity amend your health information in a Designated Record Set. The Entity may deny your request for a number of reasons. For example, your request may be denied if the health information is accurate and complete, was not created by the Entity (unless the person or entity that created the information is no longer available), is not part of the Designated Record Set, or is not available for inspection (e.g., psychotherapy notes or information compiled for civil, criminal, or administrative proceedings).

If you want to exercise this right, your request to the Entity must be in writing, and you must include a statement to support the requested amendment. Within 60 days of receipt of your request, the Entity will:

Make the amendment as requested;

Provide a written denial that explains why your request was denied and any rights you may have to disagree or file a complaint; or

Provide a written statement that the time period for reviewing your request will be extended for no more than 30 more days, along with the reasons for the delay and the date by which the Entity expects to address your request.

Right to receive an accounting of disclosures of your health information

You have the right to a list of certain disclosures the Entity has made of your health information. This is often referred to as an “accounting of disclosures.” You generally may receive an accounting of disclosures if the disclosure is required by law, in connection with public health activities, or in similar situations listed in the table earlier in this notice, unless otherwise indicated below.

You may receive information on disclosures of your health information going back for six (6) years from the date of your request, but not earlier than April 14, 2003 (the general date that the HIPAA privacy rules are effective). You do not have a right to receive an accounting of any disclosures made:

For Treatment, Payment, or Health Care Operations;

To you about your own health information;

Incidental to other permitted or required disclosures;

Where authorization was provided;

To family members or friends involved in your care (where disclosure is permitted without authorization);

For national security or intelligence purposes or to correctional institutions or law enforcement officials in certain circumstances; or

As part of a “limited data set” (health information that excludes certain identifying information).

In addition, your right to an accounting of disclosures to a health oversight agency or law enforcement official may be suspended at the request of the agency or official.

If you want to exercise this right, your request to the Entity must be in writing. Within 60 days of the request, the Entity will provide you with the list of disclosures or a written statement that the time period for providing this list will be extended for no more than 30 more days, along with the reasons for the delay and the date by which the Entity expects to address your request. You may make one (1) request in any 12-month period at no cost to you, but the Entity may charge a fee for subsequent requests. You’ll be notified of the fee in advance and have the opportunity to change or revoke your request.

Right to obtain a paper copy of this notice from the Entity upon request

You have the right to obtain a paper copy of this Privacy Notice upon request. Even individuals who agreed to receive this notice electronically may request a paper copy at any time.

Changes to the information in this notice

The Entity must abide by the terms of the Privacy Notice currently in effect. This notice takes effect on April 14, 2003. However, the Entity reserves the right to change the terms of its privacy policies as described in this notice at any time, and to make new provisions effective for all health information that the Entity maintains. This includes health information that was previously created or received, not just health information created or received after the policy is changed. If changes are made to the Entity’s privacy policies described in this notice, you will be provided with a revised Privacy Notice to your e-mail address.

Complaints

If you believe your privacy rights have been violated, you may complain to the Entity and to the Secretary of U.S. Department of Health and Human Services in Washington D.C. in writing within 180 days of a violation of your rights. You won’t be retaliated against for filing a complaint. You may also file a complaint with the University’s HIPAA Privacy Officer at:

Office of General Counsel, 356 University Hall, Wright State University, Dayton, Ohio 45435.

Contact

For more information on the Entity’s privacy policies or your rights under HIPAA, contact the Office of General Counsel at (937) 775-2475.